nix
/
lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Specify full path for chown

This commit is contained in:
niten 2023-10-06 19:08:50 -07:00
parent 37bd62f950
commit 0890bb7b1e
2 changed files with 76 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/fudo/auth/kerberos/kdc.nix
View File

@ -74,21 +74,18 @@ let
after = [ "network-online.target" ]; after = [ "network-online.target" ];
description = description =
"Heimdal Kerberos Key Distribution Center (primary ticket server)."; "Heimdal Kerberos Key Distribution Center (primary ticket server).";
path = with pkgs; [ heimdal coreutils ]; path = with pkgs; [ heimdal ];
serviceConfig = { serviceConfig = {
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
# ProtectSystem = true;
ProtectHostname = true; ProtectHostname = true;
# ProtectHome = true;
ProtectClock = true; ProtectClock = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
# LockPersonality = true;
PermissionsStartOnly = false; PermissionsStartOnly = false;
LimitNOFILE = 4096; LimitNOFILE = 4096;
User = cfg.user; User = cfg.user;
@ -99,8 +96,8 @@ let
SecureBits = "keep-caps"; SecureBits = "keep-caps";
ExecStartPre = let ExecStartPre = let
chownScript = '' chownScript = ''
chown ${cfg.user}:${cfg.group} ${cfg.kdc.database} ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
''; '';
in "+${chownScript}"; in "+${chownScript}";
ExecStart = let ExecStart = let

74
lib/lib/dns.nix
View File

@ -7,15 +7,16 @@ let
pthru = obj: builtins.trace obj obj; pthru = obj: builtins.trace obj obj;
remove-blank-lines = str: remove-blank-lines = str:
concatStringsSep "\n\n" concatStringsSep "\n\n" (filter builtins.isString (builtins.split ''
(filter builtins.isString
(builtins.split "\n\n\n+" str));
n-spaces = n:
concatStringsSep "" (builtins.genList (_: " ") n);
pad-to-length = strlen: str: let
spaces = n-spaces (strlen - (stringLength str)); +'' str));
n-spaces = n: concatStringsSep "" (builtins.genList (_: " ") n);
pad-to-length = strlen: str:
let spaces = n-spaces (strlen - (stringLength str));
in str + spaces; in str + spaces;
record-matcher = builtins.match "^([^;].*) IN ([A-Z][A-Z0-9]*) (.+)$"; record-matcher = builtins.match "^([^;].*) IN ([A-Z][A-Z0-9]*) (.+)$";
@ -24,7 +25,8 @@ let
max-int = foldr (a: b: if (a < b) then b else a) 0; max-int = foldr (a: b: if (a < b) then b else a) 0;
make-zone-formatter = zonedata: let make-zone-formatter = zonedata:
let
lines = splitString "\n" zonedata; lines = splitString "\n" zonedata;
records = filter is-record lines; records = filter is-record lines;
split-records = map record-matcher records; split-records = map record-matcher records;
@ -32,21 +34,23 @@ let
record-index-maxlen = i: max-int (map (index-strlen i) split-records); record-index-maxlen = i: max-int (map (index-strlen i) split-records);
in record-formatter (record-index-maxlen 0) (record-index-maxlen 1); in record-formatter (record-index-maxlen 0) (record-index-maxlen 1);
record-formatter = name-max: type-max: let record-formatter = name-max: type-max:
let
name-padder = pad-to-length name-max; name-padder = pad-to-length name-max;
type-padder = pad-to-length type-max; type-padder = pad-to-length type-max;
in record-line: let in record-line:
record-parts = record-matcher record-line; let record-parts = record-matcher record-line;
in in if (record-parts == null) then
if (record-parts == null) then
record-line record-line
else (let else
(let
name = elemAt record-parts 0; name = elemAt record-parts 0;
type = elemAt record-parts 1; type = elemAt record-parts 1;
data = elemAt record-parts 2; data = elemAt record-parts 2;
in "${name-padder name} IN ${type-padder type} ${data}"); in "${name-padder name} IN ${type-padder type} ${data}");
format-zone = zonedata: let format-zone = zonedata:
let
formatter = make-zone-formatter zonedata; formatter = make-zone-formatter zonedata;
lines = splitString "\n" zonedata; lines = splitString "\n" zonedata;
in concatStringsSep "\n" (map formatter lines); in concatStringsSep "\n" (map formatter lines);
@ -61,11 +65,8 @@ let
join-lines (mapAttrsToList (makeSrvRecords protocol) services); join-lines (mapAttrsToList (makeSrvRecords protocol) services);
makeMetricRecords = metric-type: records: makeMetricRecords = metric-type: records:
join-lines join-lines (map (record:
(map (record: "${metric-type}._metrics._tcp IN SRV ${toString record.priority} ${
"${metric-type}._metrics._tcp IN SRV ${
toString record.priority
} ${
toString record.weight toString record.weight
} ${toString record.port} ${record.host}.") records); } ${toString record.port} ${record.host}.") records);
@ -96,33 +97,31 @@ let
}; };
}; };
hostRecords = hostname: nethost-data: let hostRecords = hostname: nethost-data:
sshfp-records = map (sshfp: "${hostname} IN SSHFP ${sshfp}") let
nethost-data.sshfp-records; sshfp-records =
map (sshfp: "${hostname} IN SSHFP ${sshfp}") nethost-data.sshfp-records;
a-record = optional (nethost-data.ipv4-address != null) a-record = optional (nethost-data.ipv4-address != null)
"${hostname} IN A ${nethost-data.ipv4-address}"; "${hostname} IN A ${nethost-data.ipv4-address}";
aaaa-record = optional (nethost-data.ipv6-address != null) aaaa-record = optional (nethost-data.ipv6-address != null)
"${hostname} IN AAAA ${nethost-data.ipv6-address}"; "${hostname} IN AAAA ${nethost-data.ipv6-address}";
description-record = optional (nethost-data.description != null) description-record = optional (nethost-data.description != null)
''${hostname} IN TXT "${nethost-data.description}"''; ''${hostname} IN TXT "${nethost-data.description}"'';
in join-lines (a-record ++ in join-lines
aaaa-record ++ (a-record ++ aaaa-record ++ sshfp-records ++ description-record);
sshfp-records ++
description-record);
cnameRecord = alias: host: "${alias} IN CNAME ${host}"; cnameRecord = alias: host: "${alias} IN CNAME ${host}";
dmarcRecord = dmarc-email: dmarcRecord = dmarc-email:
optionalString (dmarc-email != null) optionalString (dmarc-email != null) ''
''_dmarc IN TXT "v=DMARC1;p=quarantine;sp=quarantine;rua=mailto:${dmarc-email};"''; _dmarc IN TXT "v=DMARC1;p=quarantine;sp=quarantine;rua=mailto:${dmarc-email};"'';
mxRecords = mxs: map (mx: "@ IN MX 10 ${mx}.") mxs; mxRecords = mxs: map (mx: "@ IN MX 10 ${mx}.") mxs;
nsRecords = map (ns-host: "@ IN NS ${ns-host}"); nsRecords = map (ns-host: "@ IN NS ${ns-host}");
flatmapAttrsToList = f: attrs: flatmapAttrsToList = f: attrs:
foldr (a: b: a ++ b) [] (mapAttrsToList f attrs); foldr (a: b: a ++ b) [ ] (mapAttrsToList f attrs);
srvRecordPair = domain: protocol: service: record: { srvRecordPair = domain: protocol: service: record: {
"_${service}._${protocol}.${domain}" = "_${service}._${protocol}.${domain}" =
@ -135,8 +134,7 @@ let
$ORIGIN ${dom}. $ORIGIN ${dom}.
$TTL ${zone.default-ttl} $TTL ${zone.default-ttl}
${optionalString (zone.default-host != null) ${optionalString (zone.default-host != null) "@ IN A ${zone.default-host}"}
"@ IN A ${zone.default-host}"}
${join-lines (mxRecords zone.mx)} ${join-lines (mxRecords zone.mx)}
@ -164,6 +162,9 @@ let
zone.subdomains)} zone.subdomains)}
''; '';
concatMapAttrs = f: attrs:
concatMap (x: x) (mapAttrsToList (key: val: f key val) attrs);
in rec { in rec {
srvRecords = with types; attrsOf (attrsOf (listOf (submodule srvRecordOpts))); srvRecords = with types; attrsOf (attrsOf (listOf (submodule srvRecordOpts)));
@ -171,14 +172,11 @@ in rec {
srvRecordsToBindZone = srvRecords: srvRecordsToBindZone = srvRecords:
join-lines (mapAttrsToList makeSrvProtocolRecords srvRecords); join-lines (mapAttrsToList makeSrvProtocolRecords srvRecords);
concatMapAttrs = f: attrs:
concatMap (x: x) (mapAttrsToList (key: val: f key val) attrs);
srvRecordsToPairs = domain: srvRecords: srvRecordsToPairs = domain: srvRecords:
listToAttrs (concatMapAttrs (protocol: services: listToAttrs (concatMapAttrs (protocol: services:
concatMapAttrs concatMapAttrs
(service: records: map (srvRecordPair domain protocol service) records) services) (service: records: map (srvRecordPair domain protocol service) records)
srvRecords); services) srvRecords);
zoneToZonefile = timestamp: dom: zone: zoneToZonefile = timestamp: dom: zone:
remove-blank-lines (format-zone '' remove-blank-lines (format-zone ''